npm - nodebb-plugin-anti-account-sharing - Versions diffs - 1.0.4 → 1.0.6 - Mend

nodebb-plugin-anti-account-sharing 1.0.4 → 1.0.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/library.js CHANGED Viewed

@@ -1,91 +1,123 @@
 'use strict';
-const db = require.main.require('./src/database');
-const user = require.main.require('./src/user');
-const Plugin = {};
-// --- AYARLAR ---
-const MAX_DEVICES = 1; // kaç bilgisayar?
-function isMobile(req) {
-  const ua = req?.headers?.['user-agent'] || '';
-  return /Mobile|Android|iPhone|iPad|iPod/i.test(ua);
-}
-Plugin.init = async function () {
-  console.log(`[Anti-Share] Aktif ✅ (Limit: ${MAX_DEVICES} PC)`);
+const crypto = require('crypto');
+const winston = require.main.require('winston');
+const meta = require.main.require('./src/meta');
+const PLUGIN_ID = 'nodebb-plugin-anti-account-sharing';
+const DEFAULTS = {
+  enabled: true,
+  enforcement: 'kick',
+  windowSeconds: 300,
+  logLevel: 'info',
+  includeAcceptLanguage: false,
+  trustProxy: true,
 };
-// Login olduğunda session ekle (req gelmezse bile sorun değil, aşağıda fallback var)
-Plugin.recordSession = async function (data) {
-  const req = data?.req;
-  const uid = data?.uid;
-  if (!req || !uid || !req.sessionID) return;
-  if (isMobile(req)) return;
-  const key = `antishare:sessionsz:${uid}`; // <-- DİKKAT: yeni key (zset)
-  const sid = req.sessionID;
+function toBool(v) {
+  if (typeof v === 'boolean') return v;
+  if (typeof v === 'string') return ['1', 'true', 'yes', 'on'].includes(v.toLowerCase());
+  return !!v;
+}
-  // Eğer yoksa ekle (varsa score'u güncelleme!)
-  const all = await db.getSortedSetRevRange(key, 0, -1);
-  if (!all.includes(sid)) {
-    await db.sortedSetAdd(key, Date.now(), sid);
-  }
+function toInt(v, dflt) {
+  const n = parseInt(v, 10);
+  return Number.isFinite(n) ? n : dflt;
+}
-  // sadece son MAX_DEVICES tut
-  const newest = await db.getSortedSetRevRange(key, 0, -1);
-  const toRemove = newest.slice(MAX_DEVICES);
-  if (toRemove.length) {
-    await db.sortedSetRemove(key, toRemove);
+async function getSettings() {
+  let s = {};
+  try {
+    s = await meta.settings.get(PLUGIN_ID);
+  } catch (e) {
+    s = {};
   }
-};
-// Her page + api isteğinde kontrol
-Plugin.checkSession = async function (data) {
-  const req = data?.req;
-  const res = data?.res;
+  const out = {
+    enabled: toBool(s.enabled ?? DEFAULTS.enabled),
+    enforcement: (s.enforcement || DEFAULTS.enforcement).toLowerCase(),
+    windowSeconds: toInt(s.windowSeconds ?? DEFAULTS.windowSeconds, DEFAULTS.windowSeconds),
+    logLevel: (s.logLevel || DEFAULTS.logLevel).toLowerCase(),
+    includeAcceptLanguage: toBool(s.includeAcceptLanguage ?? DEFAULTS.includeAcceptLanguage),
+    trustProxy: toBool(s.trustProxy ?? DEFAULTS.trustProxy),
+  };
-  if (!req || !res) return data;
-  if (!req.uid || req.uid <= 0 || isMobile(req)) return data;
+  if (!['kick', 'block'].includes(out.enforcement)) out.enforcement = DEFAULTS.enforcement;
+  if (!['debug', 'info', 'warn', 'error'].includes(out.logLevel)) out.logLevel = DEFAULTS.logLevel;
+  if (out.windowSeconds < 0) out.windowSeconds = DEFAULTS.windowSeconds;
-  const isAdmin = await user.isAdministrator(req.uid);
-  if (isAdmin) return data;
-  const sid = req.sessionID;
-  if (!sid) return data;
+  return out;
+}
-  const key = `antishare:sessionsz:${req.uid}`;
+function sha1(input) {
+  return crypto.createHash('sha1').update(String(input)).digest('hex');
+}
-  // Sadece en yeni MAX_DEVICES session allowed
-  const allowed = await db.getSortedSetRevRange(key, 0, MAX_DEVICES - 1);
+function getClientIp(req, trustProxy) {
+  if (trustProxy) {
+    const xff = (req.headers['x-forwarded-for'] || '').toString();
+    if (xff) return xff.split(',')[0].trim();
+  }
+  return (
+    req.ip ||
+    (req.connection && req.connection.remoteAddress) ||
+    (req.socket && req.socket.remoteAddress) ||
+    ''
+  );
+}
-  // Eğer henüz kayıt yoksa (çok nadir) karışma
-  if (!Array.isArray(allowed) || !allowed.length) return data;
+function getFingerprint(req, settings) {
+  const ip = getClientIp(req, settings.trustProxy);
+  const ua = (req.headers['user-agent'] || '').toString();
+  const al = (req.headers['accept-language'] || '').toString();
+  const raw = settings.includeAcceptLanguage ? `${ip}|${ua}|${al}` : `${ip}|${ua}`;
+  return sha1(raw);
+}
-  // allowed değilse -> kick
-  if (!allowed.includes(sid)) {
-    try { req.logout?.(); } catch (e) {}
-    if (req.session) {
-      try { req.session.destroy(() => {}); } catch (e) {}
-    }
+function safeJson(x) {
+  try { return JSON.stringify(x); } catch (e) { return '[unjsonable]'; }
+}
-    const wantsJson =
-      req.xhr ||
-      (req.headers.accept && req.headers.accept.includes('json')) ||
-      req.originalUrl?.startsWith('/api/');
+function buildLogger(settings) {
+  const level = settings?.logLevel || 'info';
-    if (wantsJson) {
-      res.status(401).json({ error: 'session_terminated', message: 'Maksimum cihaz sınırına ulaşıldı.' });
-      return;
-    }
+  function log(lvl, msg, metaObj) {
+    const line = `[AAS] ${msg}${metaObj ? ` ${safeJson(metaObj)}` : ''}`;
+    if (winston && typeof winston[lvl] === 'function') winston[lvl](line);
+    else if (winston && typeof winston.info === 'function') winston.info(line);
-    res.redirect('/login?error=session-conflict');
-    return;
+    if (lvl === 'error') console.error(line);
+    else if (lvl === 'warn') console.warn(line);
+    else console.log(line);
   }
-  return data;
-};
-module.exports = Plugin;
+  return {
+    debug: (msg, metaObj) => (['debug'].includes(level) ? log('info', `DEBUG: ${msg}`, metaObj) : null),
+    info: (msg, metaObj) => (['debug', 'info'].includes(level) ? log('info', msg, metaObj) : null),
+    warn: (msg, metaObj) => (['debug', 'info', 'warn'].includes(level) ? log('warn', msg, metaObj) : null),
+    error: (msg, metaObj) => log('error', msg, metaObj),
+  };
+}
+/**
+ * ✅ IMPORTANT: Hook'ları burada export et
+ * security.js içinde bunlar tanımlı olacak.
+ */
+const Security = require('./security');
+module.exports = {
+  // helpers
+  PLUGIN_ID,
+  DEFAULTS,
+  getSettings,
+  getFingerprint,
+  getClientIp,
+  sha1,
+  buildLogger,
+  // hooks (plugin.json bunları arıyor)
+  init: Security.init,
+  recordSession: Security.recordSession,
+  checkSession: Security.checkSession,
+}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "nodebb-plugin-anti-account-sharing",
-  "version": "1.0.4",
+  "version": "1.0.6",
   "description": "Prevents account sharing by enforcing a single active session policy for desktop devices.",
   "main": "library.js",
   "keywords": [

package/static/security.js CHANGED Viewed

@@ -1,97 +1,238 @@
 'use strict';
-(function () {
-  function showSecurityModal() {
-    // Varsa eski modalları temizle
-    $('#antishare-modal').remove();
-    const modalHtml = `
-      <div id="antishare-modal" style="
-        position: fixed; top: 0; left: 0; width: 100%; height: 100%;
-        background: rgba(0,0,0,0.92); z-index: 999999;
-        display: flex; flex-direction: column; align-items: center; justify-content: center;
-        text-align: center; font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif;
-        animation: fadeIn 0.3s ease;
-      ">
-        <div style="
-          background: #ffffff; padding: 40px; border-radius: 16px;
-          max-width: 90%; width: 400px; box-shadow: 0 10px 40px rgba(0,0,0,0.5);
-          position: relative; overflow: hidden;
-        ">
-          <div style="position: absolute; top:0; left:0; width:100%; height:6px; background:#d9534f;"></div>
-          <div style="
-            width: 70px; height: 70px; background: #fdf2f2; border-radius: 50%;
-            display: flex; align-items: center; justify-content: center; margin: 0 auto 20px;
-          ">
-            <i class="fa fa-shield" style="font-size: 32px; color: #d9534f;"></i>
-          </div>
-          <h2 style="color: #333; margin: 0 0 10px; font-size: 22px; font-weight: 700;">Oturum Sonlandırıldı</h2>
-          <p style="color: #666; font-size: 14px; line-height: 1.6; margin: 0 0 30px;">
-            Hesabınıza <strong>başka bir bilgisayardan</strong> giriş yapıldığı tespit edildi.<br><br>
-            Hesap güvenliğiniz için önceki cihazdaki oturum otomatik olarak kapatılmıştır.
-          </p>
-          <a href="/login" style="
-            display: block; width: 100%; padding: 14px 0;
-            background: #d9534f; color: #fff; text-decoration: none;
-            font-weight: 600; border-radius: 8px; font-size: 15px;
-            transition: background 0.2s;
-          " onmouseover="this.style.background='#c9302c'" onmouseout="this.style.background='#d9534f'">
-            TEKRAR GİRİŞ YAP
-          </a>
-          <div style="margin-top: 20px; font-size: 12px; color: #999;">
-            Mobil cihazlarınız bu durumdan etkilenmez.
-          </div>
-        </div>
-      </div>
-      <style>@keyframes fadeIn { from { opacity:0; transform:scale(0.95); } to { opacity:1; transform:scale(1); } }</style>
-    `;
-    $('body').append(modalHtml);
-    $('body').css('overflow', 'hidden');
+const db = require.main.require('./src/database');
+const user = require.main.require('./src/user');
+const {
+  getSettings,
+  getFingerprint,
+  buildLogger,
+  PLUGIN_ID,
+} = require('./library');
+const KEY_LAST_FP = (uid) => `uid:${uid}:aas:lastfp`;
+const KEY_LAST_SEEN = (uid) => `uid:${uid}:aas:lastseen`; // epoch seconds
+const KEY_LAST_IP = (uid) => `uid:${uid}:aas:lastip`;
+const KEY_LAST_UA = (uid) => `uid:${uid}:aas:lastua`;
+const SESS_SET = (uid) => `uid:${uid}:sessions`;
+// NodeBB’de yaygın session obj key isimleri (kuruluma göre değişebiliyor)
+function sessionObjectKeys(sid) {
+  return [
+    `sess:${sid}`,
+    `session:${sid}`,
+    `sessions:${sid}`,
+  ];
+}
+async function getUserSessionIds(uid) {
+  try {
+    const sids = await db.getSortedSetRange(SESS_SET(uid), 0, -1);
+    return Array.isArray(sids) ? sids : [];
+  } catch (e) {
+    return [];
   }
+}
-  function checkUrlParam() {
-    const urlParams = new URLSearchParams(window.location.search);
-    if (urlParams.get('error') === 'session-conflict') {
-      showSecurityModal();
+async function deleteSessionObjects(sid, logger) {
+  for (const k of sessionObjectKeys(sid)) {
+    try {
+      await db.delete(k);
+      logger.debug('Deleted session object', { key: k });
+    } catch (e) {
+      // ignore
     }
   }
+}
-  // --- 1) İlk yükleme + SPA geçişleri ---
-  $(document).ready(checkUrlParam);
-  $(window).on('action:ajaxify.end', checkUrlParam);
+async function kickOtherSessions(uid, keepSid, logger) {
+  const all = await getUserSessionIds(uid);
+  if (!all.length) return { total: 0, removed: 0 };
-  // --- 2) jQuery AJAX 401 yakala ---
-  $(document).ajaxError(function (event, jqxhr) {
-    if (jqxhr && jqxhr.status === 401 && jqxhr.responseJSON && jqxhr.responseJSON.error === 'session_terminated') {
-      showSecurityModal();
+  let removed = 0;
+  for (const sid of all) {
+    if (!sid) continue;
+    if (keepSid && sid === keepSid) continue;
+    try {
+      await db.sortedSetRemove(SESS_SET(uid), sid);
+      removed += 1;
+      logger.info('Removed session from uid sessions set', { uid, sid });
+    } catch (e) {
+      logger.warn('Failed removing session from sessions set', { uid, sid, err: e.message });
     }
-  });
-  // --- 3) FETCH 401 yakala (asıl eksik buydu) ---
-  const _fetch = window.fetch;
-  window.fetch = async function (...args) {
-    const res = await _fetch.apply(this, args);
+    await deleteSessionObjects(sid, logger);
+  }
+  return { total: all.length, removed };
+}
+function getCurrentSessionId(req) {
+  // Express-session genelde req.sessionID verir
+  if (req && req.sessionID) return req.sessionID;
+  // Cookie’den yakalamayı dene (connect.sid vb.)
+  const cookie = (req.headers && req.headers.cookie) ? String(req.headers.cookie) : '';
+  const m = cookie.match(/connect\.sid=([^;]+)/i);
+  if (m && m[1]) return decodeURIComponent(m[1]).replace(/^s:/, '').split('.')[0];
+  return null;
+}
+async function shouldTrigger(uid, fp, nowSec, settings) {
+  const [lastfp, lastseen] = await Promise.all([
+    db.getObjectField(KEY_LAST_FP(uid), 'v'),
+    db.getObjectField(KEY_LAST_SEEN(uid), 'v'),
+  ]);
+  const lastSeenNum = parseInt(lastseen, 10);
+  const lastFpStr = lastfp ? String(lastfp) : '';
+  if (!lastFpStr) return { trigger: false, reason: 'no_last_fp' };
+  if (lastFpStr === fp) return { trigger: false, reason: 'same_fp' };
+  if (!Number.isFinite(lastSeenNum)) return { trigger: true, reason: 'fp_changed_no_lastseen' };
+  const diff = nowSec - lastSeenNum;
+  if (diff <= settings.windowSeconds) {
+    return { trigger: true, reason: `fp_changed_within_${settings.windowSeconds}s` };
+  }
+  return { trigger: false, reason: `fp_changed_outside_window(${diff}s)` };
+}
+async function updateLast(uid, fp, req, nowSec) {
+  const ip = (req.headers && (req.headers['x-forwarded-for'] || req.ip || '')) || '';
+  const ua = (req.headers && req.headers['user-agent']) || '';
+  await Promise.allSettled([
+    db.setObjectField(KEY_LAST_FP(uid), 'v', fp),
+    db.setObjectField(KEY_LAST_SEEN(uid), 'v', String(nowSec)),
+    db.setObjectField(KEY_LAST_IP(uid), 'v', String(ip).slice(0, 200)),
+    db.setObjectField(KEY_LAST_UA(uid), 'v', String(ua).slice(0, 300)),
+  ]);
+}
+function createSecurityMiddleware(settings, logger) {
+  return async function antiAccountSharingMiddleware(req, res, next) {
     try {
-      if (res && res.status === 401) {
-        // response body json olabilir; klonlayıp okuyalım
-        const clone = res.clone();
-        const data = await clone.json().catch(() => null);
+      if (!settings.enabled) return next();
+      // NodeBB: req.uid login olmuş kullanıcı
+      const uid = parseInt(req.uid, 10);
+      if (!Number.isFinite(uid) || uid <= 0) return next();
+      const fp = getFingerprint(req, settings);
+      const nowSec = Math.floor(Date.now() / 1000);
-        if (data && data.error === 'session_terminated') {
-          showSecurityModal();
+      const check = await shouldTrigger(uid, fp, nowSec, settings);
+      if (check.trigger) {
+        const keepSid = getCurrentSessionId(req);
+        logger.warn('Account sharing suspected (fingerprint changed)', {
+          uid,
+          reason: check.reason,
+          keepSid: keepSid || '',
+          path: req.originalUrl || req.url,
+        });
+        if (settings.enforcement === 'block') {
+          await updateLast(uid, fp, req, nowSec);
+          return res.status(403).json({
+            error: 'account-sharing-detected',
+            message: 'Bu hesap farklı cihaz/ağ üzerinden aynı anda kullanılıyor olabilir.',
+          });
         }
+        // kick mode: diğer session’ları kır
+        const result = await kickOtherSessions(uid, keepSid, logger);
+        logger.info('Kick result', { uid, ...result });
       }
+      // her request sonunda last’i güncelle
+      await updateLast(uid, fp, req, nowSec);
+      return next();
     } catch (e) {
-      // sessiz geç
+      logger.error('Middleware error', { err: e.message });
+      return next();
     }
-    return res;
   };
-})();
+}
+const Security = {};
+Security.init = async function (params) {
+  // NodeBB hook: static:app.load
+  const { app } = params;
+  const settings = await getSettings();
+  const logger = buildLogger(settings);
+  logger.info('Loading security middleware', {
+    enabled: settings.enabled,
+    enforcement: settings.enforcement,
+    windowSeconds: settings.windowSeconds,
+    trustProxy: settings.trustProxy,
+  });
+  if (!app) {
+    logger.warn('No express app passed to security.init (static:app.load?)');
+    return;
+  }
+  // Reverse proxy varsa gerçek IP için
+  try {
+    app.set('trust proxy', !!settings.trustProxy);
+  } catch (e) {}
+  // ✅ DEBUG ENDPOINT
+  // Sadece login olmuş kullanıcı görür (istersen admin-only yap)
+  app.get('/api/aas/debug', async (req, res) => {
+    try {
+      const uid = parseInt(req.uid, 10) || 0;
+      if (uid <= 0) {
+        return res.status(401).json({ ok: false, error: 'not-logged-in' });
+      }
+      // ✅ opsiyonel: sadece admin
+      // const isAdmin = await user.isAdministrator(uid);
+      // if (!isAdmin) return res.status(403).json({ ok: false, error: 'admin-only' });
+      const fp = getFingerprint(req, settings);
+      const sid = req.sessionID;
+      const sessions = await db.getSortedSetRange(`uid:${uid}:sessions`, 0, -1);
+      logger.info('DEBUG endpoint hit', {
+        uid,
+        sid,
+        fp,
+        sessionsCount: sessions.length,
+      });
+      return res.json({
+        ok: true,
+        plugin: PLUGIN_ID,
+        uid,
+        sessionID: sid,
+        fingerprint: fp,
+        sessions,
+        headers: {
+          ua: req.headers['user-agent'],
+          ip: req.headers['x-forwarded-for'] || req.ip,
+        },
+      });
+    } catch (e) {
+      logger.error('DEBUG endpoint error', { err: e.message });
+      return res.status(500).json({ error: e.message });
+    }
+  });
+  // ✅ middleware attach
+  app.use(createSecurityMiddleware(settings, logger));
+  logger.info('Security middleware attached', { plugin: PLUGIN_ID });
+};
+module.exports = Security;